W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Proposed change: "xhr-src" to "connect"

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 22 Jun 2011 08:59:40 +0100
Message-ID: <BANLkTinqjrQtN6WN8Gt3sL+_cyCB-haiHg@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On 22 June 2011 01:42, Brandon Sterne <bsterne@mozilla.com> wrote:

> Although Worker scripts are restricted to same-origin as the invoking
> page, they can load arbitrary additional scripts from any origin using
> the importScripts API.  In this sense, they are very similar to <script>
> elements.  Yes, they execute in a different context than the parent
> document, but sites will still want to have control over where those
> scripts can be pulled in from.  This is another reason to lump them in
> with script-src, IMO.
>

I agree with the proposal and could I suggest a options directive which
allows/disallows cookies. This would allow the site to stop XHR or workers
from retrieving pages as the currently logged on user. It would also enable
workers to be used safely in a sandbox context.
Received on Wednesday, 22 June 2011 08:00:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC